The figure sounds alarming, 60 percent of small companies went out of business within six months of a breach. And, that stat was repeated several times by lawmakers as a House panel debated - and approved - legislation aimed at helping small businesses battle hackers.
"According to the U.S. National Cyber Security Alliance, 60 percent of small businesses go bankrupt six months after a cyberattack," said Lamar Smith, R-Texas., chairman of the House Science, Space and Technology Committee, at a markup session that approved NIST Small Business Cybersecurity Act, or HR 2105, on a voice vote on May 2. The bill, if enacted, would direct the National Institute of Standards and Technology to tailor cybersecurity guidance for small businesses based on NIST's cybersecurity framework.
"The 2011 statistic that '60 percent of businesses close within 6 months of a cyberattack' is not from NCSA and its original source cannot be confirmed."
At least two other committee members referenced the same statistic at Tuesday's markup session. And it's been cited before at another congressional hearing. "Fifty percent of SMBs (small and midsize businesses) have been the victims of cyberattack and over 60 percent of those attacked go out of business," Jane LeClair, then the chief operating officer of the National Cybersecurity Institute at Excelsior College, testified at an April 22, 2015, hearing of the House Committee on Small Businesses. Researching the origins of that statistic, then Securities and Exchange Commission member Luis Aguilar wrote in an Oct. 19, 2015, article that though "LeClair does not provide a citation for this statistic, it appears to come from a 2012 study by the National Cyber Security Alliance."
It Wasn't Us
It's a powerful stat, but don't credit the Alliance.
"The 2011 statistic that '60 percent of businesses close within 6 months of a cyberattack' is not from NCSA and its original source cannot be confirmed," Michael Kaiser, the Alliance executive director, said in a statement responding to an Information Security Media Group inquiry about the statistic. "We recommend that media, policy makers, small businesses and others not use that statistic and rely upon information that is current and relevant. Our team is working to proactively limit this stat's further sharing and usage."
The mystery surrounding the origins of the statistic doesn't necessarily make it fake news. Some organization likely conducted a survey, producing that 60-days-in-six-month conclusion. Let's assume 60 percent of small businesses go out of business six months after a cyberattack. Is that implication correct that the cyberattacks caused these businesses to fail?
Missing Link: Correlating Attacks to Business Failures
What we don't know is whether a direct correlation exists between the cyberattacks and these business failures. The cyberattacks might have been a factor in their failures, then again, maybe not. But just as likely, other causes could might have hastened their failures, including poor management, insufficient capital, lacking of planning, over expansion and bad location, to name a few.
Starting and maintaining a small business is tough. According to the U.S. Bureau of Labor Statistics, about 20 percent of businesses no longer exist a year after their founding. Five years later, about half of those businesses no longer operate. The BLS stats are just facts, and don't explain why these companies are no longer in business. The BLS data go back to March 1994 and are relatively consistent year to year. Because BLS data reach back 23 years, one could surmise that security breaches had little to do with these business failures because cyberattacks weren't a significant problem. After all, few businesses in the mid-1990s were connected to the internet. The consistency of the BLS data suggests other factors other than cyberattacks caused businesses to fail.
And even anecdotal evidence offered by the chief sponsor of the bill does not support the premise that cyberattacks result in the failure of small business. Republican Rep. Daniel Webster of Florida owns the multi-generational family business Webster Air Conditioning & Heating in central Florida that was targeted by a ransomware attack. He says his business didn't pay the ransom, and fortunately had its data backed up, which aided in restoring the IT system frozen by the blackmailers. He cited another business that paid the ransom, and then was attacked again a few months later. Both businesses continue to operate. Webster contends businesses like his might have avoided the ransomware attack if NIST guidance aimed at small businesses had been in place (click on player above to listen to Webster discuss the ransomware attack).
Compelling arguments can be made why Congress should enact legislation to aid small businesses in strengthening their cyberdefenses, but lawmakers needn't rely on alarmist statistics that mystifyingly appeared in the ether to make their point.
An earlier version of this blog misstated the state Lamar Smith represents. He's from Texas, not Florida.